Gen.Trojan.Heur.RP.FWaadPfKpj_67f845b640 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

winnet.exe:1248
Intel.exe:1900

The Trojan injects its code into the following process(es):

%original file name%.exe:2956
Reality.log:1796
pack11.exe:3608

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys (20 bytes)
C:\Windows\winnet.dll (124 bytes)
C:\Windows\winnet.exe (70 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (7918 bytes)
C:\$Directory (2304 bytes)
C:\Windows\System32\config\SYSTEM (5748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe (127 bytes)

The process pack11.exe:3608 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

The process winnet.exe:1248 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\winnet.dll (126 bytes)
C:\Windows\LSP.dll (88 bytes)

The process Intel.exe:1900 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pack11.exe (7427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pack11[1].exe (6835 bytes)

Registry activity

The process %original file name%.exe:2956 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Intel\Instances\Intel Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\services\Intel\Instances]
"DefaultInstance" = "Intel Instance"

[HKLM\System\CurrentControlSet\services\Intel\Instances\Intel Instance]
"Altitude" = "370033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process winnet.exe:1248 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1124"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-103"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] SEQPACKET 2"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "21"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] DATAGRAM 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"ProtocolName" = "VMCI sockets STREAM"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "43"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"ProtocolName" = "VMCI sockets DGRAM"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] DATAGRAM 2"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] SEQPACKET 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002C]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002B]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002A]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]

The process Intel.exe:1900 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"INTEL" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
03743259b426d308769257cb9ed9e93f	c:\Windows\LSP.dll
c0cef56783f492e1e9f29a6f15848b74	c:\Windows\winnet.dll
7c184ba0b79448b278caef6895ac6cf4	c:\Windows\winnet.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Using the driver "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
winnet.exe:1248
Intel.exe:1900
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys (20 bytes)
C:\Windows\winnet.dll (124 bytes)
C:\Windows\winnet.exe (70 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (7918 bytes)
C:\$Directory (2304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe (127 bytes)
C:\Windows\LSP.dll (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pack11.exe (7427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pack11[1].exe (6835 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"INTEL" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	34759	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	40960	10454	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	53248	12268	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp0	65536	5256863	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	5324800	4729192	4729344	5.38718	4fb51347839a3806d70ae489fa68c00b
.reloc	10055680	244	512	2.07686	2f5a7d0f98be02539885a12becc5f6db
.rsrc	10059776	286205	286208	1.886	5365c5f5ef46ff9112f3b8db23e27491

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.dresou.net/pack11.exe	47.90.18.203
www.wdcrf.net	43.241.50.128

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pack11.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.dresou.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 42496

Content-Type: application/octet-stream

Last-Modified: Tue, 06 Dec 2016 06:37:42 GMT

Accept-Ranges: bytes

ETag: "07fcf3e8b4fd21:6ab"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 18 Jan 2017 05:33:58 GMT

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................)...............(.......................-.....................Rich....................PE..L...N..W............................p:.......@....@..........................P............@..................................B.......@.......................C......................................4<..H...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....r&.\...1....o.......&..{....U.....SV.5....... .3.W..3..]..........|#.F....@.....4.......m{..Q..U....Hu..'..~.............E.......t.....................I._..^..[..]..........o...Ut-...............HTTP/1.1 200 OK..Content-Length: 42496..Content-Type: application/octet-stream..Last-Modified: Tue, 06 Dec 2016 06:37:42 GMT..Accept-Ranges: bytes..ETag: "07fcf3e8b4fd21:6ab"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 18 Jan 2017 05:33:58 GMT..MZ......................@...............................................!..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2956:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

GetProcessWindowStation

Reality.log

D:\chengzhen\DNF\StartGame\Release\StartGame.pdb

C:\OneRun.txt

360tcpview

365tcpview

cports

tcpview

c:\%original file name%.exe

zr_]UbN

.xV``

.YB}n=

.uBs{(JBq

&.uFi

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

y2.eu:

.?AVIUrlBuilderSource@@

` Bb]%X

.Ujb!7l$_s

.jbBA

uDp'\T?UT6

^U.Qf

/.XZViC

"%1zqQ.Rog$

YQ.EM6

$[.zZ9)~M

-%fT\;Q

L.rg-

%F/.0

(nF%sr5-

Y

.ToDLCF

Q.EMN

-r.arz%l\

".qZE=

_DsSH[Tq

M:.yjJu|h#

\TCpAIN

v.uYQ2Ls

VeRr%3x

.utDd'3|

m&y.Wh{(

7h}%f

".qPd

.Wh2N

xX_C~^%xtC

Ni%f*

.uJjQ?p8_

.so$:evV=

&.yxHh7

xOKCXQai.EMf

MfY2M2.af

Ee.cS[4'

r.uYQ>

$kdDw#hp .hJ

5va.Ire&YF

).yb-~

5NCsSH

-b}u6

&.YqLl

]:.aq2

".yU~F

6 ]em.Poh

kc(>m&.UT

n.yU]"

.ek4'/`x

.YJIZ-

.qbj)

c.zrA

V^%dT\C

!~Q.IreFg(

0OZjb=

(c.zrE

>U!-b}6u

(oe2.yTp?

}.yb-{

^.px3

_@.qe

'gi.de

z-b}u

Mf:m%fz%

i.EMV

e.EeF

wPAE%uz

V^Ã

HkXPCNZ5&.UTdl

n%Ux

Jm%f|

8"th/%fn

&.yxH@_3Lck

C8 s)z.yi6"e

`em.DE'

X !j~_:

J%Dpx

L^.px

.MEnc7?|

.AVme&k?

via:.yoD

dt#4

.Yn_W0

4[.zr

-BP2}6

V^Ã8O>2

.zZE

0/'l=ia.Ee*`

.yFf=`?

M2.aL@W

%fOk,WX

-Mm}u

)r-%f

Rr_]Ufk?

]2.qa"

.yb1bA

uQ.IBUB]V

`a%fh3_-

%7U}u2

QY.Ee6

|?p{(M:.eb

".qPL3l

/.XT?

W8.anNa

dUI6i.aB

-2}JjE-^qQZ

n^V-%fp,

rs/.yM

.meF$

{.IY(ssp

.iw(W_0;3PCL

f!V^%dT\W

ck4g(s0U.aF

)gQ^TcPp f2:Q

}.yb-V=

&.iw(v

%fyq&Y

9RM6a.Ify

.iPdC

.zr-ZR]

.YBYbU

&.im%

Kd_Lq.OTo$

}.un1z=

.ie_Z

&.YDHoWa

m&.wJ

.XT7?P

%FY:s

}.qy&4gZ

vj=w

P<.leti_->

C".qPd7

S@.iq

&e.EM>s'

.eixn

~â€žc_

u.ybY

bZ5Oy&b%dH{m

e.anf9x,$

UT".iRAL

kGp/.XT[

h`7r&.ir

j$=z.ue:

.iPdO

.iNEj)

V^%dT\ @`G

S-j}]2wGg,

CZ.pPS/

Z5%fH

.iD`W

.evV=

.TS\E

uAz.qbjU

(m4.TA

".ab9)f

.uFukjg

071=^6

QT".qe

nfÃ

FfÃ

2.eA{'nS

=r.iPdC

.Yj)R5

cU.Ee

5z.qa

%DL;gZ

e2.qa"

7l?h[Hm.aN

c'TCpx

NJ= \Å¸

kKpy-%f

}Y.aR

&.iw

&.uJjA

%fqQf

kV|9.tPG

Wd

Q:d~ykc@.YfFU}

pP7r&.iq

sSHW

S[0y-%f[GD

/\-yY.de

"U].UdDG

%F}uB

-ytu}

'|sSHr%

9b".aJIZE~

d.NeRr9

aEr.uc4

H^.px

^5-j}

"U.bQ

}V^%dTtC

.Tp';

>6UbSsH

V-&.irz-"u

.IqC~

.ab9p@H?."}

-G.RU

}.ybM

BJU\lLC".qy*

}.qy&4gNjE

g~v%dT

.qD`/?

q.uTK

U:v.Mai

i2.eu>

!;m.GKR

h.jls

.hsPb3

.hsPf5a

.hC:f

_qf%xrb

|e.eZ*

Js%sX

.odTa

.HA;

`h%fp

.oVSa

d1.Zf.

nB.MCU

.UC\&

&.Zf*L

|e.uE

%SqM:2

.VRKHV=

V|"'mOusSh

4 `h%fp

|^.dd

.Nn59

{.UFt

-l%d)

.IC\&

.zq)y6

B;3%x

bBE.rcD

.FM\m

.g(%d,dc

s9G.lB,

uudPC

KqÃ±*

>-%x(

.gJw/

\.vN%

.YRKBf

H%U|[

H%Us[

).JS3

'%X~&

/.DTa

8U.VBF

z31 e.VB

L.za=

.Aye?$

.DFIM

}-Sh}m

JFtp

$]%D#X

|e.VR

!C.YB

dR.XE

I!K.bB

JP%d,

Q%c:x

;lz%u

vrÃ½

trK%U

ryf=.wKH?

s-E}.

nd.va

5<.tj>

Q/}

.U%D$9

.Zl@ h;

BZ.ti

DD.ZZ

pj.YK&

*%sVO6

J.Bx=

`%s},

.GDZe

.Bg=I

3@F%x

F.uljH

w.LXVL

oC%d@

).cuP

3.vUu

>Z.Dq

.MDRw

{?a%u_

K\X.emh

2^:_56!5

%X#X2Vy8h

yFTP

/.Lec

wW%sw8;x$

.lcHp

X\%dZ

t%fnL

dessH

(1.Wl:

`.pLv

}gq%Xp

h\1(.zU

I`.PkG

%X@X!(j

%u6mO.

H\.kH@

TH 9EXe

.MvV`

UXY.uE

.ly1z

%c!OA

JExE

.GXoj

Dg.pL

x_.Xw

.Cxs#

c4.XC

.UE%3

H.Ib*OE

s.Qa4KG

*0%UtR

d\).zO

@%fpL1

F24

.SLOL

%Sk%6

%4.d{

Cz:%C

*M.QS~

%Fu^gw

%XSP}

>ge.DM

x*O2%U

-3}xH

u7H%S

c%x0.

~d.hz

RL

G,Y%U

M.hzc

.CL",

.Any1V

bB$,F

.DBE:

%u@-N

fJi.FH

.Hy6e

8Tt%u)

.MU_(

[{%fH#d

r4)%UG

.lD?g3w

#(.HS

tweb

.mQH5

.yi,Q

U%c*P

Z/.kY]

wBZ.cw

K%U=-

.BU{,i

a=%do5

Wpmsg

(.une`

H%U-=

wBZ.cs

6J<.gwy>

wBZ.wJ

.UMTa

UgO.eQ

%Dk*qH

1%XWw

99.%F

.uk@B

AjT%s

5>%F"2

ftPy

=X-Q}

eG.uN

.QU=~

W`~%xx

ÃžJ6

4n!.kT "

T%S0F?V

pI%SmJ*^

%Ubq%

X%Djy[

=.ptS

#&.ns

.XMTa

.Nr_d

o.PVX

,p3%x

d%s15(

.zVZ?

G.dV'

QweB0

d=cÃ¼i

g|%Cv

=.aG)c

iSTZ%u

8 IK3%d

#%fW[iG

T{%S8

M:.hP

W$.wI/i

AA.pV

jZ.znI

%D-m=

Zg-A}

}*r%d/

.>t%f(

d.ck3p

.Ej#6`

nob.wX`#j

%a.dp

.qI-K

? .RMTaG

"Tdb.wY

.RMTa/{U

hSZ.eG

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps